Why mortgage brokers are prime targets for cybercrime

Mortgage brokers regularly work with sensitive personal and financial client information. This can include anything from credit scores and repayment histories to employment information, tax file numbers and loan application data. Often, this kind of information is stored digitally and transmitted between lenders and third-party platforms. From a cybercriminal’s perspective, this kind of information is highly valuable.

“Stolen data can be used for identity theft, fraudulent loan applications or sold for a profit on the dark web,” says Akshaye Kalkura, virtual Chief Information Security Officer at BizCover. “This makes mortgage brokerages an appealing target for cybercriminals, regardless of whether it’s a large organisation or an independent sole trader.”

In the wake of the fintech youX cyberattack, where hackers reportedly stole more than 140GB worth of sensitive customer data by exploiting system vulnerabilities, Akshaye’s message is highly relevant – especially for small businesses.

Common causes of data breaches in broking businesses

Large-scale cyberattacks, like the youX attack, often make headlines, but small- and medium-sized businesses are also at risk. In point of fact, the latest Annual Cyber Threat Report 2024-2025 found that large businesses continued to have the lowest number of reported cyberattack incidents, accounting for only 12% of reports from all businesses (a 22% decrease from the previous year).

In addition, the average cost of a single data incident for a small business rose by 14% to $56,600. This cost has been steadily rising over the last three years. In the current economic climate, a financial hit like that could create serious problems for a small business.

Common causes of data breaches in broking businesses

• Remote and hybrid work: The shift toward remote and hybrid work has expanded the digital perimeter of broking businesses. Staff accessing systems from home networks or personal devices can increase exposure if security controls are inconsistent.
• Physical cyber risks: A stolen or misplaced laptop or mobile phone that contains client information could lead to a data breach if not secured properly or encrypted.
• Phishing and business email compromise (BEC): Cybercriminals frequently use deceptive emails or messages to trick brokers or staff into revealing login credentials, clicking malicious links or transferring funds.
• Vishing (voice phishing): Akshaye notes that there are reports that suggest “identity theft via vishing is on the rise.” As well as suspicious emails and messages, brokers should be on the alert for strange phone calls or recordings, even if they sound like someone they know. With AI, cybercriminals can easily imitate another person’s voice.
• Third-party platform vulnerabilities: Brokers often rely on aggregators, cloud-based CRMs and lender systems. Whether a breach occurs within a brokerage’s own systems or through a connected service provider, sensitive client data shared across platforms may be exposed.
• Outdated software and unpatched systems: Failing to install security updates in a timely manner can leave known vulnerabilities open for exploitation by attackers. Don’t ignore that pop-up window next time it prompts you to update.

The consequences of a data breach

A cyber incident is rarely a minor inconvenience for a small business owner. It can trigger a chain reaction of financial pain, regulatory scrutiny and reputational harm that may take months – and possible even years – to fully recover from.

Financial costs

A data breach can carry immediate and often unexpected financial consequences for a brokerage. Once the data breach has been detected, the business may need to engage IT specialists to investigate how the incident occurred, contain the problem and restore affected systems. In more serious cases, ransomware attacks can result in extortion demands or prolonged system outages.

Akshaye says, “Even if client data is not permanently lost, business interruption can still be costly. Especially for SMEs.”

Legal and regulatory ramifications

In Australia, businesses that handle personal information may be subject to the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme. This means that brokers may face legal and regulatory responsibilities in addition to direct financial costs following a data breach. Managing these requirements can be complex and time-consuming, especially during an already stressful period. There is also the risk of legal claims from clients whose personal or financial information has been compromised.

Reputational damage and loss of client trust

Trust is central to the broker–client relationship, and once that confidence is shaken, it can be difficult to rebuild. While the financial and legal fallout of a data breach can be significant, the long-term impact on a brokerage’s reputation may be even more damaging.

Minimise your cyber risk

While maintaining cybersecurity standards can seem complex, there are several straightforward and simple steps that mortgage brokers can take to significantly reduce their exposure, explains Akshaye.

1. Maintain cyber hygiene

“Basic cyber hygiene is one of the most effective defences against cyber risks,” Akshaye says.

This includes using strong, unique passwords for every system and avoiding password reuse across platforms. Where possible, enable multi-factor authentication (MFA) to add an extra layer of protection beyond just a password.

2. Facilitate staff training

“Human error remains one of the most common entry points for cybercriminals, with phishing emails, reused or weak passwords and accidental data sharing all posing ongoing risks,” says Akshaye.

This is particularly true in industries that rely heavily on email communication and document sharing.

Regular staff training can help employees recognise phishing emails, suspicious links, unusual payment requests and impersonation attempts. Even short refresher sessions or simulated phishing exercises can significantly improve awareness.

3. Review staff access

Akshaye’s final tip is to review who has access to client data and whether that access is still necessary.

“Limiting permissions and regularly checking security settings on third-party platforms can help close potential gaps before they become problems.”

Applying the principle of least privilege (where staff only have access to the information and systems they genuinely need) can help to reduce risk. This is especially important when roles change or employees leave the business.

4. Consider Cyber Liability insurance

Cyber Liability insurance can also help brokers recover quickly from a data breach if the worst should occur. Cyber Liability insurance generally covers losses from claims arising from data breaches, business interruption and remediation costs following an actual or threatened data breach, and some policies offer optional cover for cover for social engineering, phishing or cyber fraud.